When crawling a web application for a purpose of security testing, a capability of identifying links and requests, which when processed, log a user out of the web application is beneficial. One benefit typically realized is a reduced number of false positives and false negatives for security tests requiring knowledge of which requests are logout requests or security test requests requiring the application to be in a known state (for example, a logged in state or a logged out state) when sent. An example of this type of security test is when a session is not invalidated after logout.
Another benefit lies in improved crawl performance because a logout is performed deterministically rather than accidentally. Some applications require a user to be logged out before a subsequent login request will succeed, accordingly requiring knowledge of which requests are logout requests to successfully crawl these applications.
A challenge exists because logout pages, other than logout pages defined by the user, are difficult to identify. Additionally logout links, suspicious activity or specific actions that can logout the user automatically may exist however the user is not aware of the existence of these possibilities.
Current technologies for identification of logout pages typically rely on expert knowledge. For example, application scanners typically use regular expressions, however a regular expression method typically fails due to various reasons. Failures typically occur as a result of web pages written using a language other than English or using a different choice of words for a logout page that does not match the regular expression currently in use. A response is not always predictable because different pages of the application being examined may respond in different ways when a session is terminated including returning an error, invoking another process or page or cease processing.
Using the example of the application scanner, a capability to identify when the session is no longer valid may be present enabling the scanner to replay a login sequence to re-establish the session and continue scanning. In another example the application scanner may rely on sending a heartbeat request and expecting a corresponding pattern in a response to provide an indication of a valid session and therefore awareness of whether the scanner is logged in.